Module 7 Lab: Security operations integration

Module 7 Lab: Security operations integration#

Design a SOC triage workflow.

Lab Context#

This lab uses synthetic security telemetry with login velocity, data transfer volume, process rarity, and threat labels as a safe proxy for the course setting. It is not a substitute for institutional data, but it lets you practice the reasoning, metrics, and documentation pattern before working with real records.

Lab Tasks#

  1. Run the baseline analysis.

  2. Identify the decision the metric supports.

  3. Change one threshold, score weight, or input assumption.

  4. Compare the result before and after your change.

  5. Record one deployment risk that the synthetic data cannot reveal.

import numpy as np
import matplotlib.pyplot as plt

rng = np.random.default_rng(7)
n = 96
exposure = rng.beta(2, 4, size=n)
severity = rng.beta(2.5, 2.5, size=n)
control_gap = rng.beta(3, 5, size=n)
activity = rng.beta(2, 6, size=n)
business_impact = rng.beta(2, 3, size=n)

risk_score = 0.25*exposure + 0.25*severity + 0.20*control_gap + 0.15*activity + 0.15*business_impact
threshold = float(np.quantile(risk_score, 0.80))
priority = risk_score >= threshold

plt.figure(figsize=(6, 3))
plt.scatter(severity, risk_score, c=priority, cmap="coolwarm", s=24)
plt.xlabel("severity")
plt.ylabel("risk/detection priority")
plt.title("Module 7 Lab: Security operations integration")
plt.tight_layout()

summary = {
    "priority_count": int(priority.sum()),
    "threshold": threshold,
    "top_indices": np.argsort(risk_score)[-5:][::-1].tolist(),
    "review_note": "Inspect high-score cases for false positives and missing context before action.",
}
summary

{'priority_count': 20,
 'threshold': 0.4471467554950364,
 'top_indices': [25, 95, 52, 29, 41],
 'review_note': 'Inspect high-score cases for false positives and missing context before action.'}
../_images/b84425debcaf4114c4ddde81fd9d5ab6ef0afb2bff152cdc0b85bce54e970eb6.png 
reflection = {
    "what_changed": "",
    "metric_before": "",
    "metric_after": "",
    "interpretation": "",
    "synthetic_data_limit": "",
    "next_real_world_evidence_needed": "",
}
reflection

{'what_changed': '',
 'metric_before': '',
 'metric_after': '',
 'interpretation': '',
 'synthetic_data_limit': '',
 'next_real_world_evidence_needed': ''}